Employees’ cybersecurity awareness and behaviour in South African higher education institutions

Abstract

The widespread cyberattacks necessitate robust cybersecurity practices within South African higher education institutions (HEIs). System users, particularly employees, are often the inadvertent major entry for cyberattacks, highlighting the critical need for employees’ cybersecurity behaviour to adhere to ethical guidelines and adapt to evolving cyber threats. This study investigates how South African HEIs’ cybersecurity environment, encompassing factors like cybersecurity awareness, policies and prior employee experience, influences employee cybersecurity behaviour. Building on the protection motivation theory and the theory of planned behaviour, the study developed a conceptual model that integrates and explores the impact of cybersecurity awareness, policy awareness and experience within the institutional context on employee attitudes, subjective norms, perceived behavioural control, threat appraisal, and self-efficacy, ultimately leading to cybersecurity-compliant behaviour. This model was tested using data from a survey of 283 employees in South African HEIs. Structural equation modelling, ANOVA and post hoc procedures are employed to test the proposed hypotheses. The findings indicate that employees are more competent in managing cybersecurity tasks when they are aware of or know their institutions’ cybersecurity policies than those unaware. The findings show that institutions’ cybersecurity environment, including cybersecurity awareness, policy and experience, positively influences employees’ attitudes, subjective norms and perceived behavioural control, which, in turn, positively contribute to their cybersecurity-compliant behaviour. Similarly, perceived behavioural control, threat appraisal and self-efficacy directly and significantly impact cybersecurity-compliant behaviour. These results highlight the importance of fostering a comprehensive South African HEIs cybersecurity environment, highlighting awareness training, transparent policies, practical experience, and efforts to cultivate empowerment sense amongst employees regarding cybersecurity practices. This study contributes to advancing knowledge on cybersecurity behaviour in South African HEIs by offering insights specific to the institutional cybersecurity environment and ultimately fostering a more secure cybersecurity structure within these institutions.